Channels

Services

OpenTTD vulnerabilities could allow remote code execution

The OpenTTD developers have discovered three security issues in the open source game based on MicroProse's Transport Tycoon Deluxe. One issue, a buffer overflow in save games, makes it possible to crash the game and possibly cause the execution of arbitrary code; the bug has been present since version 0.1.0.

In another issue, improperly validated commands from the server can create a denial of service. The third issue involves buffer overflows when validating external data read from the local filesystem; this could lead to arbitrary code execution. All three bugs are due to be fixed in an upcoming 1.1.3 release; a release candidate for that version is available. OpenTTD is licensed under the GPLv2.